As members of the Fusion Middleware Architecture Group (a.k.a the A-Team), we get exposed to a wide range of challenging technical issues around security and Oracle Fusion Middleware. We're using this blog to answer common questions and provide interesting solutions to the real-world scenarios that our customers encounter every day.
NOTICE: All our post and much more can now be found at http://www.ateam-oracle.com/category/identity-management/

Wednesday, July 18, 2012

In my last post I wrote about the complicated and timely process of determining all of a user’s group memberships when an LDAP namespace includes nested and dynamic group memberships. I wrote about how you can simplify and speed up getting a user’s group memberships through the use of a dynamic “member of” attribute and specifically the orclMemberOf attribute in OID.

Today I’d like to extend this discussion to WebLogic server authentications.

Tuesday, July 17, 2012

New versions of OIM connectors have been released in the
past few months(version
number is 11.1.1.x). These new releases bring
an important change to OIM connectors: they are based on the Identity Connector
Framework (IFC). The 11.1.1.5 documentation for the ICF is available at:

One of the things that ICF brings is the capability of
deploying connectors to an ‘Identity Connector Server’(but keep in mind you still need to deploy the connector to OIM as well). When using a connector
server, OIM will delegate to the connector server the execution of the provisioning
tasks. Except for the .NET based connectors (like AD and Exchange), the
connector server is an optional piece in an OIM topology and its use depends on the project requirements.

Friday, July 13, 2012

The 11g R2 release of the Oracle Identity Management stack is upon us. The 11g R2 release greatly expands the capabilities of the stack, especially in the area of cloud and mobile environments. On Thursday, July 19 at 10am PST / 1pm EST there will be an interactive Oracle Identity Management 11g R2 launch webcast hosted by Oracle product development executives Hasan Rizvi and Amit Jasuja.

Thursday, July 12, 2012

This is the first one in a series
of posts dedicated to the design of tools that have the common goal of
simplifying or enhancing the functionality provided by OIM 11g. As more and
more customers implement OIM 11g, new challenges arise and new issues are
uncovered. OIM 11g is a very powerful platform but given the complexity of the
problems OIM tries to solve, we have to admit that the product itself is sometimes not the easiest to
implement by customers. The tools described in this series of articles have the
purpose of facilitating the implementation of advanced capabilities of OIM or
enhance some of the features of OIM making them capable of fulfilling certain
use cases that have been traditionally complex to implement (but nevertheless, always
possible).

In this article we will cover the
design of a framework that allows business users to define provisioning
processes that include approvals, sophisticated approval request routing and
advanced user interface customization capabilities. A reference implementation of this framework will be presented in subsequent posts along the series.

Overview

OIM 11g defines two types of
processes: Provisioning and Approval Processes. Provisioning processes are
defined in OIM’s Design Console, whereas the Approval Processes are implemented
in Oracle’s SOA Suite via SOA Composites and BPEL. As you can imagine,
customers now have to deal with the intricacies of BPEL and the corresponding
tools set. In some cases, the customers don’t have the necessary skills set to
be able to customize Approval processes to fulfill complex use cases. This
tends to produce less than desired results because - if best practices are not
followed properly - there is a strong chance that the end solution won’t
perform as expected. Now, due to the fact that Approval processes are defined
using SOA Suite artifacts, only experienced developers that understand
JDeveloper will be able to implement any required customizations to the processes.
Moreover, Approval Processes are the ones that are mostly associated to the
business, so Business Users should be able to define the proper approval flows
that make sense to their business.

So the idea here is to design a
set of tools that can be run on top the OIM 11g’s engine that will allow
business users to define provisioning processes and approval flows. In order to
achieve this, the tool kit needs to have the following:

A set
of components that will perform tasks required by the framework including:

A Pre-Populate
adapter that supports multi-value attributes.

A SOA
Composite that will execute provisioning tasks and request application
roles used to provision resources (this will be explained in detail later
on).

An XML
Schema to represent provisioning process definitions in XML.

The GUI
that Administrators and/or Business Users can use to define provisioning
processes.

A set of hooks where developers can implement extensibility interfaces to extend
the functionality of the framework and can be deployed through the interface
mentioned above.

Framework Components

The first thing to be addressed
is the definition of the components in the framework. So the best way I know to
start defining such components is to make a list of the tasks that are part of
a provisioning operation, here they are:

Capture
User Data

Route
Approval Requests

Provision
Approved Resources

Capture User Data

In this case the method used to
capture data is via forms. Whereas OIM allows for the definition of input forms
these apply to resource objects that are to be provisioned. OIM has the
following process to configure request based provisioning:

Connectors
define a Data Set which could potentially be customized. A data set is an
XML file that contains the definition of the fields displayed in an input
form including the UI element used to capture the value for the field and
other metadata that indicates to whom the field is visible, the type of
value it accepts and whether it is mandatory or not.

The
Data Set has to be imported into MDS to be usable for Request Based
Provisioning. This is not done at the time the connector is installed, it
is done afterwards. The reason for this is that Data Sets can be
customized to fulfill particular requirements so it would not make sense
to import a dataset by default until customers are certain that the out of
the box Data Set will address their needs.

A
provisioning form is still required for entering the data for the request.
This is the input form that OIM allows administrators to design and it is
used for the actual resource provisioning. This form can be pre-populated
with information coming from a variety of sources, including OIM’s user
profile attributes. This is one of the capabilities we intend to leverage
in our solution with a few tweaks.

If the
provisioning of a resource is subject to approval, then a request template
configured with the proper approval process is necessary. This is also
dependent on the data sets for the resources being imported to MDS.

As made evident by the
description above, OIM has a bit of a complex setup when it comes to
self-service request based provisioning. Even though the complexity is sort of
justified for the sake of flexibility and feature richness, it can easily get
out of hand. So the approach I am going to follow to simplify this
configuration is the following:

In order to prevent
administrators from having to import datasets to MDS just to be able to request
a resource object I am going to use access policies in combination with out of
the box roles and a customization used to manage multi-value attributes in
OIM’s User profile.

There are already out of the box
request templates to self-request role assignment which don’t need importing a
data set. So I intend to leverage those templates for my implementation.

A specialized composite will be
written to execute my version of a provisioning process which internally will
generate requests for roles associated to each requested resource. An approval process that can be easily
defined by business users through a provided user interface will be executed by
a customized SOA Composite generated using OIM 11g’s command line tools (I call
this composite OIM’s Composite). OIM’s Composite invokes a Web Service that
generates a representation of an approval routing in XML which is read by the
configuration of the participants of the composite’s Human Task. This
representation is generated based on the specification of the approval process
defined by the business users.

Route Approval Request

As part of any provisioning
process, approvals may be and are often required. An approval process that can
be easily defined by business users through a provided user interface will be executed
by a customized SOA Composite generated using OIM 11g’s command line tools (I
call this composite OIM’s Composite).

OIM’s Composite invokes a Web
Service that generates a representation of an approval routing in XML which is
read by the configuration of the participants of the composite’s Human Task.
This representation is generated based on the specification of the approval
process defined by the business users.

In this manner Business Users
don’t need to be experts in JDeveloper or even need a developer to implement
approval flows because these can be defined using an intuitive user interface.
These descriptors are stored on the file system so if working with a cluster of
OIM Servers they need to be available on all servers, but this requires only
copying the files and that’s it; no server restarts are necessary.

Provision Approved Resources

Since all we are doing is
leveraging OIM’s advanced capabilities for automatic provisioning this is taken
care of by the access policies and potentially a pre-populate adapter to
support multi-value attributes.

The
idea is to have a role associated to each Resource Object/IT Resource
combination so a policy can easily be defined for the automatic provisioning of
a resource object instance connected to an IT Resource target. If child forms
need to be populated the custom pre-populate adapter will take that information
from a special table (part of this framework) that extends the user profile of
OIM to support multi value attributes.

Summary

This first article describes a framework that has the goal of simplifying the use of OIM 11g's features in customer implementations. The article only covers the design of such framework, while subsequent posts will cover a reference implementation of the components described here that customers and partners can leverage to build a tool kit targeted to make OIM 11g implementations simpler.

Wednesday, July 11, 2012

If you utilize nested and dynamic groups (and especially nested dynamic groups), then it can take a lot of effort and time to calculate all of a user’s group memberships in an LDAP directory.

First you have to search for the user and find the user’s DN. Then you have to search all your groups to figure out which groups your user is directly a member of. Then for each of those groups you have to search all your groups again to see which of those groups your user is a member of.

You have continue to search your groups with the results of each subsequent search until you reach the maximum desired level of nested memberships that you want to pursue or all the searches come back empty. All the while you have to keep yourself out of infinite loops created by repeating memberships such as when two groups are members of each other.

Many LDAP directories simplify things through a virtual “member of” attribute which is a virtual multi valued attribute containing all of the groups a user is a member of through both direct and indirect means.

It may have escaped your notice, but OID joined the party fairly recently (in 11.1.1.4 I believe) and now supports such an attribute. The attribute’s name is orclMemberOf. You can read all about the attribute here; but suffice it to say it is a dynamic multi valued attribute containing the groups to which a member belongs.

The membership includes both direct membership and indirect membership from nested groups. It also includes membership from dynamic groups and dynamic nested groups based on labeleduri.

The attribute value is computed during a search and is not stored. This means you will not see orclMemberOf populated in an LDAP data browser including ODSM. Further, the value is not returned by default in searches. You have to explicitly request it. Lastly, orclMemberOf cannot be used in a search filter.

One nice little additional feature thrown in is that the aliases of memberof and ismemberof are supported for compatibility with code written for compatibility with Active Directory and Oracle Directory Server Enterprise Edition (DSEE) / SunOne / IPlanet.

Below is a sample search with results for a specific user where I request and receive the value(s) of orclMemberOf. You will also notice that nested memberships are returned multiple times, once for each group that the user belongs to that is a member of another given group. So, watch out for that.

In a future post, I'll discuss how you can use the orclMemberOf attribute to greatly speed up authentication into WebLogic and Fusion Middleware Products such as SOA Suite and WebCenter which utilize WebLogic's security framework.